United States v. Councilman: This Time the Sky Really *Is* Falling:

In debates on Internet surveillance law, I often end up arguing that reports of privacy's death have been greatly exagerrated. For example, I wrote a law review article in 2002 describing the effect of the USA Patriot Act on Internet surveillance law as The Big Brother That Isn't. Two weeks ago, however, the First Circuit decided a case called United States v. Councilman that poses a very real threat to Internet privacy. There has been some press on the case already, but some writers and commentators have also suggested that the decision really isn't a big deal. Declan's take is representative of the no-big-deal school:

the folks who are most upset about this haven't read the court's opinion carefully, and those that have are discounting the ability of state law and tort sanctions to keep people in line. There are other mechanisms than just federal wiretapping law that can enforce good behavior.

I disagree with Declan, and thought it might be worth explaining why the Councilman decision is so dangerous.

First, a bit of background. Federal law protect e-mail privacy through two primary laws: the Wiretap Act, codified at 18 U.S.C. 2510-22, and the Stored Communications Act, 18 U.S.C. 2701-11. The Wiretap Act offers very strong protection against the real-time interception of telephone or Internet communications. If any one tries to step in and snoop on the contents of another person's communications, they commit a federal felony offense unless one of several fairly narrow exceptions applies. If the government tries to do this, they need a super-search warrant called a Title III order. In contrast, the Stored Communications Act sets up lesser privacy protections for access to stored communications. First, the law is much narrower; it applies only to files held by particular providers, and has much broader exceptions. Second, the prohibition against snooping on stored files is much narrower and ordinarily a misdemeanor. Third, law enforcement access to stored files is normally governed my a basic warrant requirement, rather than a super-search warrant requirement. Why the different treatment for stored and in-transit communications, you wonder? Well, there are a couple of reasons, but one important reason is that the Supreme Court suggested in Berger v. New York that in-transit interception requires special protections under the Fourth Amendment. (By the way, I discuss how the Wiretap Act applies to the Internet in the Big Brother article I linked to above. I also give a basic explanation of the Stored Communications Act in a forthcoming article you can download in draft form here.)

The Councilman case addresses an ambiguity in the line between the Wiretap Act and the Stored Communications Act. The question is, when is a file stored, and when is it in transit? This is a big question because on the Net communications are often at rest for very brief periods of time in the course of transmission, and the statutory text doesn't make particularly clear whether access to a file that is at rest for a nanosecond is supposed to be covered by the Wiretap Act or the Stored Communications Act. Councilman involved an ISP employee who wrote and installed a computer program to scan incoming e-mail of the ISP's customers; ISP employees would then read the e-mails and try to use them for the commercial advantage of the ISP. In a nutshell, the First Circuit held (by a vote of 2-1) that because the program scanned the e-mails while they were at rest for a nanosecond, the e-mails were in storage at that time and access to them was covered by the Stored Communication Act, not the Wiretap Act. Because Councilman had been indicted for violating the Wiretap Act, the Court affirmed the dismissal of Councilman's indictment.

Why is this decision a big deal? It's a big deal because the line between the Wiretap Act and the Stored Commmunications Act doesn't just regulate ISPs. It regulates everybody, including federal and state criminal investigators. The Justice Department and Congressional staffers have interpreted the Wiretap Act quite broadly and the Stored Communications Act quite narrowly, and based both existing practice and recent legislative amendments on that understanding. When I was at DOJ advising agents on this sort of thing, the informal yardstick was that when a law enforcement agent planned a series of accesses to a file or account, the repeated series of accesses triggered the Wiretap Act rather than the Stored Communications Act. So in a pre-Councilman world, an FBI agent couldn't make an end-run around the Wiretap Act by lining up a bunch of warrants and executing them once every ten minutes. This approach remained true to the Supreme Court's decision in Berger and also ensured that the strong privacy protections of the Wiretap Act were not gutted by end-runs around the statute.

The Councilman approach largely nullifies the Wiretap Act online, by contrast, with rather remarkable implications. It is my understanding that when the FBI gets a Wiretap order to install a network wiretapping device such as Carnivore, they usually install the device at a nanosecond-storage point. Well, guess what, folks-- that's no longer regulated by the Wiretap Act. Under Councilman , DOJ can install Carnivore with at most only a search warrant. Even worse, the FBI doesn't need a search warrant at all if the owner of the computer where Carnivore is installed consents and that owner is a University or business other than an ISP. Because the exceptions to the Wiretap Act are narrow while the exceptions to the Stored Communications Act are much broader, the switch from protection via the former to via the latter is not only a switch to lesser protection, but in many cases a switch to no protection at all. For example, if the FBI wanted to install Carnivore at my university's servers and the university was willing to let them do this, the FBI could monitor all of my incoming and outgoing e-mail (and all of the e-mail of everyone at the University, for that matter) in real-time without any legal process or oversight whatsoever. Do you remember the controversy over the "computer trespasser" exception to the Wiretap Act, which was one of the most controverial sections in the USA Patriot Act? Under Councilman, that kind of monitoring generally will not even implicate the Wiretap Act in the first place, so the monitoring is no longer limited by the specific statutory requirements of the trespasser exception. Bad stuff. Very bad.

There are rumors afoot that Congress may step in and fix this problem soon. Fortunately, the politics are a win-win: both DOJ and civil liberties groups want the prior understanding restored. There is even proposed statutory language floating about that would do the trick quite nicely. Let's hope that Congress acts sooner rather than later. Stay tuned.

First Circuit Grants Rehearing in Councilman Case:

This is great news for Internet privacy. More here and here. Thanks again to Howard for the heads up.

Councilman Merits Briefs: VC readers who have been following the ongoing First Circuit litigation in the important Internet wiretapping case of United States v. Councilman might be interested to know that the briefs for the en banc rehearing have now been filed. I am delighted to say that the coalition of privacy groups I am serving as lead counsel has expanded. At the petition for rehearing stage, the coalition consisted of the Center for Democracy and Technology, the Electronic Frontier Foundation, the Electronic Privacy Information Center, and the American Library Association. This time around, we have also been joined by the American Civil Liberties Union and the Center for National Security Studies.

  You can find the brief we filed on Friday for the en banc rehearing here. For other documents and information about the case, including additional amicus briefs, check out this page. Oral argument will be held in Boston on December 8.
Councilman and the E-Mail Privacy Act of 2005: Last fall, I blogged a few times about a very important e-mail privacy case, United States v. Councilman. The original panel decision in Councilman had gutted the privacy protections of the Wiretap Act, and the First Circuit vacated that opinion in October and held oral argument before the full First Circuit in early December. (Full disclosure: I am counsel of record to a group of amici in the case, including the ACLU, the Center for Democracy and Technology, and the Electronic Frontier Foundation.)

  It's been sixth months since the First Circuit's en banc argument, and no opinion has been issued. In the mean time, Congress has introduced a number of statutory amendments to try to settle the matter. The best was introduced on April 28: Senator Leahy introduced S. 936, the E-Mail Privacy Act of 2005, which is a very short and sweet solution. The Leahy bill adds just a few words to the definition of "intercept" under the Wiretap Act to make its already implicit temporal scope textually explicit. It's an elegant and correct amendment. (More full disclosure: I was consulted on the language before the bill was introduced.)

  I remain optimistic that the Leahy bill won't be necessary; the bill really just reinforces the interpretation that the First Circuit should be reaching anyway. Still, it's good to know that some in Congress are following this issue.
Councilman Update: Great news -- the en banc First Circuit has issued its opinion in United States v. Councilman, a very important Internet privacy case, and reversed the district court. I'm working my way through the opinion now and will offer some thoughts later in the day. Thanks to Howard for the link.
Councilman and the Need for Legislative Reform: I've been mulling over yesterday's First Circuit en banc opinion in United States v. Councilman, an important Internet wiretapping case. I realize that this post isn't likely to be of much interest to general readers, as it's pretty technical stuff, but I wanted to offer some thoughts on the decision and where we go from here for readers who may have been following the case (all remarks are in my personal capacity, by the way).

  First, the First Circuit's opinion is remarkably narrow. The Court did not resolve the big question that many have believed was at the heart of the Councilman case, namely, the scope of "intercept" in the context of Internet communications. Instead, the Court construed Councilman's brief as only raising the question of whether a communication could both be in "electronic storage" and also constitute an "electronic communication." The majority quite properly concluded that the answer was yes, and thus reversed the district court. On the question of the meaning of intercept, the court concluded that Councilman had drafted his brief in such a way that the meaning of intercept was "simply a variation on, and entirely subsumed within" his argument on the meaning of electronic communication. Given that, there was no need to wade into the "morass" of issues raised by the definition of "intercept."

  This is a somewhat frustrating answer from an analytical perspective, as the meaning of "intercept" and the meaning of "electronic communication" are quite distinct. Further, Councilman's argument that a communication could not both be in storage and an electronic communication was always quite weak. Consider this: At the time of the conduct in Councilman, the Stored Communications Act, 18 U.S.C. 2701-11, the federal statute that protects the privacy of Internet communications in storage, applied only to electronic communications. Thus, if Councilman's argument on this point was right — and remarkably, judges Torruella and Cyr thought it was — the Stored Communications Act by definition could never apply to anything. (That is, the statute only applied to stored electronic communications, but the Councilman argument adopted by Judges Cyr and Torruella insists that Congress clearly intended that there could be no such thing as a stored electronic communication.) This reading of the statutory scheme would have been rather remarkable.

  In the end, then, the First Circuit answered a very easy question, and decided that given the defendant's brief it didn't need to decide the hard one. What this effectively does, I think, is put the ball back in Congress's court. The en banc opinion leaves the major issue open, and the issue is sufficiently central to the basic framework of Internet surveillance law that some kind of statutory solution seems very much needed. My own recommendation is for Congress to pass Senator Leahy's bill, S. 936, The E-mail Privacy Act of 2005, which I blogged about back in May. Leahy's bill is a very good fix, and will resolve the "morass" of issues that were briefed before the First Circuit but not resolved by its en banc opinion.